Single Sign-On patch for Nexus OSS

Patch for Nexus OSS with authorization via SSO and tokens. By default this features available only in PRO version (see comparison), but this patch provides them an alternative implementation without violating the license.

Solution implement as Docker container (based on official image with SSO patch applied) and compose.yml config with Nginx. Example of usage:

  # Clone configuration and change to working directory
  git clone https://github.com/a-langer/nexus-sso.git
  cd ./nexus-sso
  # Copy compose.override.yml from template for you settings
  cp _compose.override.yml compose.override.yml
  # Set environment variables for container user
  export NEXUS_USER=$(id -u) NEXUS_GROUP=$(id -g)
  # Run service and open http://localhost in web browser
  docker compose up -d

Supported features and examples of usage

Note: Since version 3.70.0-java11-ubi image and all libraries have been updated to Java 11. See release notes for more information.

Since version 3.61.0 for using SSO and User Tokens, it is enough to have following realms in the order listed:

1. "Local Authenticating Realm" - built-in realm used by default.
2. "SSO Pac4j Realm" - single sign-on realm uses an external Identity Provider (IdP).
3. "SSO Token Realm" - realm allows you to use user tokens instead of a password.
4. "Docker Bearer Token Realm" - required to access Docker repositories through a Docker client (must be below the "SSO Token Realm").

Other realms are not required and may lead to conflicts.

List of features this patch adds:

• SAML/SSO - authentication via Single Sign-On (SSO) using a SAML identity provider such as Keycloak, Okta, ADFS and others.

• User Auth Tokens - are applied when security policies do not allow the users password to be used, such as for storing in plain text (in settings Docker, Maven and etc.) or combined with SAML/SSO.

• Nginx Reverse Proxy - this Nginx configuration implements a proxy strategy to use Docker registries without additional ports or hostnames. Also provides pre-configured SSL.

• Docker Compose - provide flexible Compose configuration and OrientDB studio - web interface to interact with an embedded database.

• Patch features - additional features implemented in this patch.

Development environment

Need installed Maven and Docker with Compose and BuildKit plugins:

1. Change Nexus version if update required (see Release Notes and Maven Central for more information), ex.:

   # Set version of the current project and any child modules
   mvn versions:set -DnewVersion=3.46.0
   # Optional can set revision number of the Nexus plugins
   mvn versions:set-property -Dproperty=nexus.extension.version -DnewVersion=02

2. Execute assembly commands:

   # Build docker image
   mvn clean install -PbuildImage
   # Or build only jar bundle if needed
   mvn clean package

3. Run docker container and test it:

   # Run service and open http://localhost in web browser
   docker compose down && docker compose up

4. Accept or revert modifications to the pom.xml files:

   # Accept modifications
   mvn versions:commit
   # Or revert modifications and rebuild docker image
   mvn versions:revert && mvn clean install -PbuildImage